OK, I typed you suggested and I got proper answer.
Thanks, Miroslav !!
Arigato!
[root@xxxx ~]# sesearch -A -s httpd_sys_script_t -p name_bind -C
Found 12 semantic av rules:
DT allow httpd_script_type port_t : tcp_socket { name_bind name_connect } ; [ httpd_enable_cgi nis_enabled && ]
DT allow httpd_script_type port_t : udp_socket name_bind ; [ httpd_enable_cgi nis_enabled && ]
DT allow nsswitch_domain port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]
DT allow nsswitch_domain port_t : udp_socket name_bind ; [ nis_enabled ]
DT allow httpd_script_type ephemeral_port_t : tcp_socket { name_bind name_connect } ; [ httpd_enable_cgi nis_enabled && ]
DT allow httpd_script_type ephemeral_port_t : udp_socket name_bind ; [ httpd_enable_cgi nis_enabled && ]
DT allow httpd_script_type unreserved_port_t : tcp_socket { name_bind name_connect } ; [ httpd_enable_cgi nis_enabled && ]
DT allow httpd_script_type unreserved_port_t : udp_socket name_bind ; [ httpd_enable_cgi nis_enabled && ]
DT allow nsswitch_domain ephemeral_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]
DT allow nsswitch_domain ephemeral_port_t : udp_socket name_bind ; [ nis_enabled ]
DT allow nsswitch_domain unreserved_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]
DT allow nsswitch_domain unreserved_port_t : udp_socket name_bind ; [ nis_enabled ]
Thanks, Miroslav !!
Arigato!
[root@xxxx ~]# sesearch -A -s httpd_sys_script_t -p name_bind -C
Found 12 semantic av rules:
DT allow httpd_script_type port_t : tcp_socket { name_bind name_connect } ; [ httpd_enable_cgi nis_enabled && ]
DT allow httpd_script_type port_t : udp_socket name_bind ; [ httpd_enable_cgi nis_enabled && ]
DT allow nsswitch_domain port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]
DT allow nsswitch_domain port_t : udp_socket name_bind ; [ nis_enabled ]
DT allow httpd_script_type ephemeral_port_t : tcp_socket { name_bind name_connect } ; [ httpd_enable_cgi nis_enabled && ]
DT allow httpd_script_type ephemeral_port_t : udp_socket name_bind ; [ httpd_enable_cgi nis_enabled && ]
DT allow httpd_script_type unreserved_port_t : tcp_socket { name_bind name_connect } ; [ httpd_enable_cgi nis_enabled && ]
DT allow httpd_script_type unreserved_port_t : udp_socket name_bind ; [ httpd_enable_cgi nis_enabled && ]
DT allow nsswitch_domain ephemeral_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]
DT allow nsswitch_domain ephemeral_port_t : udp_socket name_bind ; [ nis_enabled ]
DT allow nsswitch_domain unreserved_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]
DT allow nsswitch_domain unreserved_port_t : udp_socket name_bind ; [ nis_enabled ]
2014-11-03 16:32 GMT+09:00 Miroslav Grepl <mgrepl@xxxxxxxxxx>:
On 11/01/2014 03:57 AM, Shintaro Fujiwara wrote:
Yes, this is expected. It is allowed only by booleans.Though 12 rules caught by sesearch, but none displayed.On my fedora20 box, I tried to check Bash Expoit as Dan did on his latest blog post.What I got is,
[root@xxxx ~]# sesearch -A -s httpd_sys_script_t -p name_bind -C | grep -v ^D
Found 12 semantic av rules:
$ sesearch -A -s httpd_sys_script_t -p name_bind -C
Next I typed,
[root@xxxx ~]# sesearch -A -s httpd_sys_script_t -p name_connect -C | grep -v ^D
Found 24 semantic av rules:
allow nsswitch_domain dns_port_t : tcp_socket { recv_msg send_msg name_connect } ;
allow nsswitch_domain dnssec_port_t : tcp_socket name_connect ;
ET allow httpd_sys_script_t gds_db_port_t : tcp_socket name_connect ; [ httpd_can_network_connect_db ]
ET allow httpd_sys_script_t mysqld_port_t : tcp_socket { recv_msg send_msg name_connect } ; [ httpd_can_network_connect_db ]
ET allow nsswitch_domain ocsp_port_t : tcp_socket name_connect ; [ kerberos_enabled ]
ET allow httpd_sys_script_t postgresql_port_t : tcp_socket { recv_msg send_msg name_connect } ; [ httpd_can_network_connect_db ]
ET allow httpd_sys_script_t oracle_port_t : tcp_socket name_connect ; [ httpd_can_network_connect_db ]
ET allow httpd_sys_script_t mssql_port_t : tcp_socket name_connect ; [ httpd_can_network_connect_db ]
ET allow nsswitch_domain kerberos_port_t : tcp_socket { recv_msg send_msg name_connect } ; [ kerberos_enabled ]
ET allow httpd_sys_script_t port_type : tcp_socket { recv_msg send_msg name_connect } ; [ httpd_enable_cgi httpd_can_network_connect && ]
This is ok.
What's wrong with name_bind thing?
I use
setools-console x86_64 3.3.7-41.fc20
--
日本にヘヴィメタル・ハードロックを根付かせるページ
http://sourceforge.net/projects/webon/
CMS(PHPとPostgreSQLを使ったフリーソフト)
https://github.com/intrajp/irforum_jp
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
--
日本にヘヴィメタル・ハードロックを根付かせるページ
CMS(PHPとPostgreSQLを使ったフリーソフト)
https://github.com/intrajp/irforum_jp
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux